PHP Basic Username Search Box

[Blade Maker]

I made a basic Username search box for anyone out there looking for a easy to edit script.

This script is ready to be installed to your website, will need modifications to suit your needs.

I will be willing to install it for you for free and or modify it.

 

<form method="POST">
<input type="text" name="search" />
<input type="submit" name="submit" />
</form>

<?php

$search = $_POST['search'];
$submit = $_POST['submit'];

mysql_real_escape_string($search);

if(isset($submit)){

if(!strlen($search)){

   	# Change depending on how you report user errors.
   	die('Please enter a search term.'); 
   	exit;

} else {


 $connect = mysql_connect('host', 'username', 'password') or die('Couldn\'t connect!');
 mysql_select_db('database') or die('Couldn\'t find db');

$searchsql = mysql_query("SELECT username FROM `users` WHERE username LIKE '%$search%'");
while ($row = mysql_fetch_array($searchsql))

{

?>
[url="<?php echo $row['username']; ?>.php"]<?php echo $row["username"]; ?>[/url]






<?php

}
}
}

?>

 

I will try to add security hold on.

[Jordan Palmer]

I would suggest securing the $_POST['']..

[LordDan]

Hmm, I'm going to be really picky now, but i develop with error reporting set to -1 (Better than E_ALL) and this will spit out errors..

 

# NO, NO, NO!
$search = $_POST['search'];
$submit = $_POST['submit'];

if($submit){

 

# Use error reporting people! It'll force good habits!!! (Extra Spacing used for clarity)
if( isset( $_POST['submit'] ) ){

   if( !isset( $_POST['search'] ) ){

       # Change depending on how you report user errors.
       header('location: search.php?error='. urlencode( 'Please enter a search term.' ) ); 
       exit;

   } else {

       # Why no security? 0_o
       $search = mysql_real_escape_string( $_POST['search'] );

       # Contunue the rest....
       # PHP PHP PHP PHP PHP........

   }

}

 

So, not to be picky, I know you said "basic" but all those years ago when i started learning PHP, i used tutorials posted in forums just like this and as a result i had bad habits and messy code. It took a while before some Pro told me to stop reading crap quality posts and buy a book. Basically, what I am saying is, basic example or not, use good habits for the sake of those wanting to learn ^^

[Blade Maker]

OK thanks I will try next time.

Anyways how is the script now?

[Joshua]

Highly Unsecure and will run slow,

I'd suggest looking up mysql improved functions as well as reading a bit more on the security end.

It's not horrid, but it's not great either :)

[Blade Maker]

OK I will try to make it more secure.

[Djkanna]

Just my two cents =)

I dislike HTML stuffed in with PHP :P

<form action="blah" method="post">



	<label for="search">Search:</label>
	<input type="text" name="search" id="search" />
</p>
<input type="submit" value="Search" />
</form>


<?php
/*
PHP STUFF 
*/

if(isset($_POST['search'])) {

$mysql = new mysqli('host', 'username', 'pass', 'db') or trigger_error('Error: '.mysqli_connect_error(), E_USER_ERROR);

$stmt = $mysql->prepare("SELECT `username` FROM `users` WHERE (`username` LIKE '%?%')");
$stmt->bind_param('s', strip_tags($_POST['search']));
$stmt->execute();

if($mysql->num_rows()) {

	$stmt->bind_result($username);
	while ($stmt->fetch()) {

		echo 'Username: '.$username; //I hate using markup within PHP tags (reason there's no 

</p> here).

	}
} else {
	//Error no results
}
$stmt->close();
$mysql->close();
}

I doubt the above is very functional (or practical) but I hope it gives you an idea :thumbup:

[LordDan]

It's better but it will still error (For me with error reporting). It will work though.

 

$search = $_POST['search'];
$submit = $_POST['submit'];

 

Everytime you enter the page you are placing posted date into a variable, but if you just entered the page and not posted yet, you'll get $search undifined index error.

Place this at the top of the script, and you will see what i mean@

 

<?php error_reporting(-1);  ?>

 

To fix, i used if isset to only collect $search if we actually submitted..

 

if( isset( $_POST['submit'] ) ){ // You dont need to store this into a variable as we're only using it here

   // Now code in here will only be run if $_POST['submit'] is-set...
   // Now we can move onto getting our search term.

   if( !isset( $_POST['search'] || empty( $_POST['search'] ) ) ){

       // No point searching without a search term
       die( 'Please enter a search term!');

   }

   // If we made it this far without the die() triggering above,
   // we should be good to continue..

   $search = mysql_real_escape_string( $_POST['search'] );

   // Add any additional filtering to $search an continue MySQL here

}

 

Now nothing is undefined because we're only executing our search code if we have actually pressed the Search Button :)

Good luck, hope that helps you out a little more, and remember to use the error_reporting(-1);, it'll help you improve the quality

of your code greatly.

:thumbup:

[Zero-Affect]

EW DJK! burn in hell for that lol

  $_POST['search'] = isset($_POST['search']) && ctype_alnum($_POST['search']) ? $_POST['search'] : FALSE ;
if ( empty($_POST['search']) ) {

then simple replace

strip_tags($_POST['search'])

with

$_POST['search']

[LordDan]

Is it just me, or is MySQLi just even more lines of code? I've never used it myself, so I did a little search, seems most developers regard MySQLi as a failure and say stick with MySQL, so what gives? ?(

[Blade Maker]

Who knows.....Anyways I just want to know am I on the right track of making a username search box?

I mean for being a basic one, it might not be secure but I will work on that later.

[DigitalGerm]

The search is case sensitive! so

add or change( your choice )

 

$search = $_POST['search'];
# $search = strip_tags( $search );
# $search = $mysqli->real_escape_string( $search );
$search = strtoupper($search);

$sql = "SELECT `username` FROM `users` WHERE upper(username) LIKE '%$search%'";

 

You are reading public information, so you don't have to be so alert. I think the strip tags and escape string will do just fine.

after that you could simply check if $mysqli->num_rows > 0 start a loop with while($array = $mysqli->fetch_array(MYSQLI_ASSOC)) { // echo ""; } etc.

[Blade Maker]

Thanks. That last comment digital helped.

[Djkanna]

EW DJK! burn in hell for that lol

  $_POST['search'] = isset($_POST['search']) && ctype_alnum($_POST['search']) ? $_POST['search'] : FALSE ;
if ( empty($_POST['search']) ) {

then simple replace

strip_tags($_POST['search'])

with

$_POST['search']

Now why would I do that?

For example I wanted to search for someone with the name 'Mr.Doodles' or 'Newbs!!'.

I'd want to allow charecters that aren't, [A-Za-z]

Personally I'd use

filter_var($var, FILTER_SANITIZE_STRING);

But I couldn't be assed typing it ^.^

[Zero-Affect]

i just had a look at filter_var they have some nice options...

But for the none PHP 5 users... my version will work fine... same with php 5 really just preference.

[iSOS]

(Wrong post.);